JP2021024555A - Electric power steering control device - Google Patents

Abstract

To provide an electric power steering control device which can be reprogrammed.SOLUTION: Control program information to be an execution object by a CPU 21 is stored in a ROM 41 and reprogramming information transmitted by an OTA center 30 is stored in an external memory 51. The reprogramming information is stored in the external memory 51 during execution of the control program information by the CPU 21, the reprogramming information stored in the external memory 51 is read after a prescribed condition is established, and the control program information of the ROM 41 is rewritten by the reprogramming information. The CPU 21 performs assist control in which the rewritten reprogramming information is used as an execution object.SELECTED DRAWING: Figure 2

Description

The present invention relates to, for example, an electric power steering control device capable of rewriting (reprogramming) a control program.

In recent years, many devices are equipped with a microprocessor (CPU or MPU), and predetermined control is performed according to a control program stored in a storage device such as a memory. Even in vehicles such as automobiles, each of a large number of electronic control units (ECUs) mounted on the vehicle executes a software program developed according to the specifications to control the target vehicle.

Such a control program (software program) is modified by adding a new control algorithm after development for the purpose of adding functions, changing specifications, improving performance, and the like. For example, in Patent Document 1, in order to perform early rewriting of control software corresponding to performance improvement, a non-volatile memory which is built in a computer for vehicle control and stores control processing information at any time and this non-volatile memory On the other hand, a control device for an automobile provided with a storage assisting means for setting a non-rewritable area and rewriting the control processing information of the rewritable area with new control processing information is described.

On the other hand, in the electronic control unit ECU, there is a problem that the rewriting of the control program fails, for example, the battery voltage drops during the update of the control program and the update is interrupted. In order to deal with such a problem, for example, Patent Document 2 describes whether or not the engine can be started based on the determination result of whether or not there is an in-vehicle control device whose control program is being updated when the instruction signal for starting the engine is acquired. The control device for determining the above is disclosed.

Republished patent WO 99/17976 Japanese Patent No. 6465258

Since the conventional ECU has one storage unit including a non-volatile memory for storing the control program, the storage unit is written when reprogramming to update the control program to a new execution program. Since the mode is set, the control program cannot be read. As a result, there is a problem that the control by the ECU is stopped and the reprogramming information transmitted during the control cannot be accumulated.

That is, when there is only one memory, when receiving the repro information, the control is stopped once, the memory is shifted to the rewrite mode, and then the repro information is written. In the case of conventional vehicles, the situation of reprogramming is limited, such as writing repro information at a dealer.

A normal program for executing normal control and an information rewriting program used for rewriting information are stored in the memory space of the CPU of Patent Document 1, but the information rewriting program is stored during information rewriting. Is started, the operation of the normal program is stopped, and the information is rewritten by the information rewriting program. Therefore, when there is a request for information processing from the vehicle network to execute control, the operation of the normal program is normally stopped while the information is being rewritten by the information rewriting program, so the request for information processing from the vehicle network is made. There is a problem that it cannot be handled and the update program after rewriting the information cannot be downloaded.

When the control device described in Patent Document 2 fails to update the control program, the control program before the update held in the memory is used to avoid the failure to start the engine according to the start operation. Patent Document 2 does not disclose how to respond to cyber security requirements associated with the spread of automobiles (connected cars) having an Internet connection function.

For example, if a cyber security vulnerability is found and a security patch is installed by updating a control program, if the update fails, a new threat to the vulnerability will occur, causing enormous damage to the user's assets including the vehicle. Is assumed.

The present invention has been made in view of the above-mentioned problems, and an object of the present invention is that reprogramming can be performed quickly and easily, and if reprogramming fails, a notification to that effect is given to the outside again. It is to provide an electric power steering control device that enables reprogramming of the above.

The following configuration is provided as a means for achieving the above object and solving the above-mentioned problem. That is, the first exemplary invention of the present application is an electric power steering control device that drives an electric motor to assist and control the steering wheel operation of a driver such as a vehicle, and includes a control unit that executes the assist control. A first storage unit for storing control program information to be executed by the control unit and a second storage unit for storing reprogramming information transmitted from the outside are provided, and the reprogramming information is generated by the control unit. The control program information is stored in the second storage unit even during execution of the control program information, and the control unit reads out the reprogramming information stored in the second storage unit after the predetermined condition is satisfied, and the first storage unit It is characterized in that a rewriting step of rewriting the control program information of the storage unit of the above with the reprogramming information is performed, and assist control is performed for the reprogramming information rewritten by the rewriting step as an execution target.

An exemplary second invention of the present application is an electric power steering system, characterized in that the electric power steering control device according to the above-exemplified first invention is provided.

According to the present invention, even if the control unit continues the assist control, it is possible to store the reprogramming information transmitted from the outside and prepare for reprogramming. Further, even during the control operation, it is possible to prepare for reprogramming without interrupting the assist control, and it is possible to start steering assist with the updated reprogramming information that is rewritten at the timing based on a predetermined condition.

Furthermore, even if the reprogramming fails, the reprogramming information can be requested to be downloaded again, and the functions of the device can be degraded and transferred to a specialized dealer. In addition, the reprogramming information is a serious threat from the viewpoint of security. Can be prevented from being exposed to.

FIG. 1 is a diagram showing an overall configuration of a vehicle management system that manages a vehicle system including an electric power steering control device according to a first embodiment of the present invention. FIG. 2 is a diagram showing a detailed configuration of a motor control device as an electronic control unit ECU in an electric power steering control device. FIG. 3 is a flowchart showing a reprogramming process procedure in the motor control device of the electric power steering control device according to the first embodiment. FIG. 4 is a diagram showing a schematic configuration of an electric power steering system including the electric power steering control device according to the first embodiment. FIG. 5 is a diagram showing a configuration of a control unit and a memory in the motor control device (ECU) of the electric power steering control device according to the second embodiment. FIG. 6 is a diagram showing a detailed configuration of a motor control device as an electronic control unit ECU in the electric power steering control device according to the third embodiment. FIG. 7 is a flowchart showing a reprogramming process procedure in the motor control device of the electric power steering control device according to the third embodiment.

Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings.

[First Embodiment]
FIG. 1 shows the overall configuration of a vehicle management system that manages a vehicle system including an electric power steering control device according to a first embodiment of the present invention. The vehicle management system 1 shown in FIG. 1 is OTA (Over-the-air) for changing or adding functions of an electronic control unit (ECU) in the vehicle system 5 mounted on the vehicle 10. Update the software with.

The vehicle system 5 is connected to the OTA center 30 via a communication network (NW) 20. The communication network (NW) 20 is, for example, a digital communication network such as the Internet, a mobile phone network, and a wireless LAN (Local Area Network).

The OTA center 30 includes a communication unit 31, a compression unit 32, and a difference generation unit 33. The difference generation unit 33 serves as control programs for a plurality of ECUs in the vehicle system 5, a control program before update (also referred to as an old program or SW before update) and a control program after update (reprogramming information or SW after update). (Also called) difference data is generated. In the following, reprogramming may be simply referred to as repro.

The compression unit 32 compresses the difference data generated by the difference generation unit 33 to generate the difference compression data. The compression unit 32 compresses the difference data and encrypts the data. The generated differential compressed data is transmitted by the communication unit 31 to the vehicle system 5 via the communication network (NW) 20. In this way, by compressing and transmitting the difference data of the control program before and after the update instead of the control program itself, the amount of transmitted data is reduced, the communication cost is reduced, the communication time is shortened, and the data is transmitted to the vehicle system 5. Can be sent.

The in-vehicle system 5 includes a communication control unit (TCU) 11 and a gateway (Gateway: GW) 13. The TCU 11 receives the data from the OTA center 30, decrypts the encrypted received data, and then sends the data to the gateway 13.

The gateway 13 and the ECUs (endpoint ECUs) 7a to 7n are connected to each other via CAN (Controller Area Network), which is an in-vehicle network. The in-vehicle network is not limited to CAN, and may be a network such as Ethernet (registered trademark).

The gateway 13 performs data relay processing from the TCU 11 to the ECUs 7a to 7n by the CAN communication protocol. The gateway 13 is not a mere data relay, but accumulates decoded data (difference restoration data) as a control program in the in-vehicle system 5 for all ECUs 7a to 7n, and distributes them to each of the ECUs 7a to 7n. You may.

Further, the received data may be authenticated at the stage of sending the received data from the OTA center 30 from the TCU 11 to the gateway 13. That is, the gateway 13 not only accumulates the data received from the TCU 11 and restores the difference, but also performs an authentication process or the like to correct the error by the error correction code sent together with the difference data, and normally receives the difference data. You may try to confirm whether or not.

Next, the electric power steering control device (EPS) according to the present embodiment, which is one of the plurality of ECUs included in the vehicle system described above, will be described. FIG. 2 is a detailed configuration of the motor control device as the electronic control unit ECU in the electric power steering control device.

The ECU 7a as the motor control device (EPS control device) shown in FIG. 2 generates a motor drive signal from control signals from, for example, a control unit (CPU) 21 composed of a microprocessor and a CPU 21 that controls the entire device, and an FET. It includes an inverter control unit 23 that functions as a drive circuit, and an inverter circuit 24 that is a motor drive unit that supplies a predetermined drive current to the electric motor 15.

Power for driving the motor is supplied to the inverter circuit 24 from the external battery BT via the filter 26 and the power relay 27. The filter 26 is composed of an electrolytic capacitor and a coil (not shown), absorbs noise and the like contained in the power supply to the motor control device (ECU) 7a, and smoothes the power supply voltage. The power relay 27 is configured to be able to cut off the electric power from the battery BT, and is composed of, for example, a mechanical relay or a semiconductor relay. The filter 26 may be included in the inverter circuit unit 24.

The electric motor 15 is a three-phase brushless DC motor including a three-phase winding (Ua, Va, Wa) 15a composed of a U-phase, a V-phase, and a W-phase. The inverter circuit 24 for driving the electric motor 15 is a FET bridge circuit composed of semiconductor switching elements (FETs 1 to 6).

The switching elements (FETs 1 to 6) are also called power elements, and for example, semiconductor switching elements such as MOSFET (Metal-Oxide Semiconductor Field-Effect Transistor) and IGBT (Insulated Gate Bipolar Transistor) are used.

The switching elements (FETs 1 to 6) constituting the inverter circuit 24 are provided corresponding to each phase of the electric motor 15. That is, FETs 1 and 2 correspond to the U phase, FETs 3 and 4 correspond to the V phase, and FETs 5 and 6 correspond to the W phase.

In the inverter circuit 24, the drain terminals of FETs 1, 3 and 5 are connected to the power supply side, and the source terminals are connected to the drain terminals of FETs 2, 4 and 6. Further, the source terminals of FETs 2, 4 and 6 are connected to the ground (GND) side.

Therefore, the motor control device 1a has a single inverter configuration including one set of three-phase windings (Ua, Va, Wa) and one set of inverters that supply a drive current to those three-phase windings. ..

The motor control device (ECU) 7a is connected to another control unit (ECU) via CAN signal lines (CAN communication bus) 17H and 17L connected to an in-vehicle network (CAN) that exchanges various information of the vehicle 10. Data communication is performed between the two using the CAN protocol. The CAN signal lines 17H and 17L are two-wire communication lines including the CAN-H line and the CAN-L line used in the CAN protocol.

The motor control device (ECU) 7a has two storage units, a ROM (Read Only Memory) 41, for storing a control program, and an external memory 51 having a function as a second ROM different from the ROM 41. The ROM 41 stores a control program executed (currently executed) by the CPU 21. The CPU 21 reads and executes the control program stored in the ROM 41 to perform various processes related to power steering, communication with other ECUs, and the like.

The external memory 51 stores reprogramming information for rewriting the control program stored in the ROM 41 and adding update data, new data, and the like. The RAM (Random Access Memory) 43 is used as an occasional read / write memory for the CPU 21 to temporarily store various data required for control.

The ROM 41 and the external memory 51 are, for example, an EEPROM (Electrically Erasable and Programmable Read Only Memory) that can be electrically written and erased, or an electrically rewritable flash memory. The ROM 41 and the RAM 43 may be built in the CPU 21 as shown in FIG. 2, or may be arranged outside the CPU 21.

The CPU 21, the external memory 51, the IG voltage detection unit 45 described later, and the CANI / F47 are connected to each other via the data bus 25. The electric motor 15 is equipped with a rotation sensor 55 that detects the rotation position of the rotor, and the output signal from the rotation sensor 55 is input to the CPU 21 as rotation information.

Next, the reprogramming process in the electric power steering control device (EPS) according to the present embodiment will be described. FIG. 3 is a flowchart showing a reprogramming process procedure in the motor control device of the electric power steering control device according to the present embodiment.

Did the control unit (CPU) 21 of the motor control device (ECU) 7a receive the repro request command (rewrite start request command) from CAN17, which is the in-vehicle network, via CANI / F47 in step S11 of FIG. Judge whether or not. When the repro request is received, in step S13, the content of the repro request command is analyzed, and based on the analysis result of the repro request command, it is determined whether the parameter targeted for the repro request is the full programming area or the partial programming area. ..

In the following step S15, the CPU 21 determines whether the repro request command requests software update by wireless communication (OTA), or whether a medium other than wireless, for example, a direct repro by conventional wired connection is required. .. When there is a conventional repro request, the process proceeds to step S39.

When there is a repro request by the OTA, the CPU 21 stores the reprogramming information (repro data) transmitted from the OTA center 30 in the external memory 51 in step S17. Here, even if the CPU 21 accesses the control program stored in the ROM 41 and is executing a predetermined process, the repro data is stored in the external memory 51 while continuing the process. As a result, it becomes possible to prepare for reprogramming without interrupting the assist control of the power steering.

In step S19, the CPU 21 determines whether or not the reception of the repro data is normally completed. When the reception of the repro data is completed normally, it is determined in step S21 whether or not the specified condition is satisfied. The specified conditions are, for example, when it is determined that the vehicle 10 is stopped based on the information from the vehicle speed sensor 59, when the assist control is stopped, the IG-SW is based on the information from the IG voltage detection unit 45. (Ignition switch) 58 is determined to be OFF, the engine is determined to be in idle stop, and the like.

One end of the ignition switch (IG-SW) 58 is connected to the battery BT, and the other end is connected to the IG voltage detection unit 45. The IG voltage detection unit 45 AD-converts the ignition (IG) voltage value supplied via the IG-SW58 and inputs it to the CPU 21 as a digital IG voltage value.

When the above-mentioned specified conditions are satisfied, the CPU 21 confirms the validity of the received repro data in step S23. Here, for example, the validity of the repro data is monitored by a CRC (Cyclic Redundancy Check) signal which is an error detection value signal. Alternatively, the checksum in the repro data is checked, and if the checksums do not match, it is determined that an abnormality has occurred in the data or that communication with the OTA center has not been performed normally. If normal operation is not performed even if the checksums match, it is judged that the repro data is not normal.

If it is determined in step S25 that the repro data is valid, the CPU 21 saves the repro control area to the RAM 43 in step S27. This means that in the rewrite mode using the repro data, the program for performing the repro is expanded in the RAM 43, and the RAM 43 prepares for rewriting to the control information of the repro. On the other hand, in step S25, if it is determined that the repro data is not valid when the repro data is accumulated, the repro is interrupted.

In the following step S29, the CPU 21 performs reprogramming in which the contents of the ROM 41 are rewritten with the repro data developed in the step S27. Then, in step S31, the normality of the repro data itself is determined. For example, a known signature authentication technique is used to determine the integrity of the repro data, whether or not the repro data has been tampered with maliciously.

If the repro data is normal, the CPU 21 determines in step S35 whether or not the rewriting by the repro data is normally completed, and if not, returns the process to step S29 and rewrites by the repro data. Retry.

When it is determined in step S31 that the repro data is not normal, the CPU 21 saves the repro data in the external memory 51 in advance in step S33, and the control program executed by the CPU 21 (stored in the ROM 41 before the repro). (Old program confirmed to operate normally) is returned to ROM 41. As a result, the motor control device (ECU) 7a can be restored to normal operation.

When the location for saving the old program is the external memory 51 as described above, both the reprogramming information and the saved control program information are stored in the external memory 51, and the memory of the external memory 51 is stored. Although the capacity is large, it is possible to reduce the cost by using an external memory. An external memory other than the external memory 51 may be prepared and the old program may be saved in the external memory.

As reprogramming, there are a mode in which the entire control program before the update is rewritten with a new control program (reprogram) and a mode in which the control program is partially rewritten. For partial rewriting, a mode of rewriting some parameters of the control program before update, a mode of correcting some defects of the control program before update, and a mode of partially rewriting the control map data of the control program before update. There are modes and the like.

By such partial rewriting, the rewriting time can be shortened and the data communication path can be effectively used (congestion prevention). In addition, unnecessary information can be eliminated as reprogramming information.

FIG. 4 is a schematic configuration of an electric power steering system including an electric power steering control device according to the first embodiment of the present invention. The electric power steering system 60 of FIG. 4 includes a motor control device (ECU) 7a as an electronic control unit (ECU), a steering handle 62 as a steering member, a rotating shaft 63 connected to the steering handle 62, and a pinion. It includes a gear 66, a rack shaft 67, and the like.

The rotating shaft 63 meshes with a pinion gear 66 provided at its tip. The pinion gear 66 converts the rotational motion of the rotating shaft 63 into a linear motion of the rack shaft 67, and a pair of wheels 65a, 65b provided at both ends of the rack shaft 67 at an angle corresponding to the displacement amount of the rack shaft 67. Is steered.

The rotating shaft 63 is provided with a torque sensor 57 that detects the steering torque when the steering handle 62 is operated, and the detected steering torque is sent to the motor control device (ECU) 7a. The motor control device (ECU) 7a generates a motor drive signal based on signals such as steering torque acquired from the torque sensor 57 and vehicle speed from the vehicle speed sensor 59 (see FIG. 1), and outputs the signal to the electric motor 15. ..

An auxiliary torque for assisting the steering of the steering handle 62 is output from the electric motor 15 to which the motor drive signal is input, and the auxiliary torque is transmitted to the rotating shaft 63 via the reduction gear 64. As a result, the torque generated by the electric motor 15 assists the rotation of the rotating shaft 63, thereby assisting the driver in operating the steering wheel.

As described above, in the electric power steering control device according to the first embodiment, the reprogramming information is stored in the external memory even while the control unit is executing the control program, and the reprogram information is rewritten under a predetermined condition. After that, the assist control for executing the reprogramming information is performed.

That is, since the reprogramming information which is the updated control program is accumulated even during the execution of the control program, it is possible to prepare for the reprogramming without interrupting the assist control during the control operation by the control unit.

As a result, it is not necessary to make an early change to the latest control program for improving the performance of the vehicle through a dealer or the like, so that the vehicle can be easily and inexpensively changed even after the vehicle is sold. Further, by storing the reprogramming information in the external memory, it is possible to reduce the cost as compared with the configuration having a plurality of memories in the CPU.

As reprogramming, for example, depending on the content of the start request command received from CAN (Controller Area Network), reprogramming by wireless communication (OTA) or reprogramming using a medium other than wireless (wired) is performed by a sequence corresponding to each. Can be reprogrammed. In addition, by performing reprogramming according to the command, the timing of rewriting becomes clear, and unnecessary information can be prevented from being updated by reprogramming.

In addition, as a predetermined condition for rewriting the control program based on the reprogramming information, rewriting is performed in a situation where safety is ensured by performing the rewriting when the ignition switch of the vehicle or the like is OFF, when the engine is idle stopped, and the like. It can be done, and steering assist can be started with the updated reprogramming information.

Furthermore, when the validity of the reprogramming information cannot be confirmed, or when the reprogramming by the reprogramming information fails, the information in the ROM is overwritten by the control program information saved in advance, thereby externally (OTA). It is possible to monitor the validity of the reprogram information transmitted from the center) and ensure the reliability as assist control data.

Further, by reprogramming the ROM with the control program information that was operating normally (returning to the old program), the assist control by the control program whose normal operation has been confirmed can be continued.

If the reprogramming information transmitted from the outside and stored in the predetermined memory is valid, the reprogramming information stored in the predetermined memory without rewriting the contents of the ROM in which the control program is stored. May be performed as it is as an execution target for assist control.

[Second Embodiment]
The electric power steering control device according to the second embodiment of the present invention will be described. The overall configuration of the vehicle management system that manages the vehicle system including the electric power steering control device according to the second embodiment is the same as the vehicle management system shown in FIG. 1 except for the memory configuration described later. Illustration and description are omitted.

FIG. 5 shows the configuration of the control unit and the memory in the motor control device (ECU) 77a of the electric power steering control device according to the second embodiment. The control unit (CPU) 71 is connected to two storage units (ROM1 (81) and ROM2 (83)) via a bus 85. The ROMs 1 and 2 are, for example, an EEPROM (Electrically Erasable and Programmable Read Only Memory) that can be electrically written and erased, or an electrically rewritable flash memory.

Both ROMs 1 and 2 can store the control program transmitted from the OTA center and transmitted via the gateway. The CPU 71 switches to one of the ROMs 1 and 2 to access it, and reads and executes the control program stored in the ROM to perform various processes related to power steering, communication with other ECUs, and the like.

More specifically, among the control programs stored in the ROMs 1 and 2, the CPU 71 targets the information in the ROM in which the control program last updated by the reprogramming information transmitted from the OTA center is stored as the execution target. , Execute assist control.

That is, the last repro is set as the latest program, and the ROM in which the program is stored is determined to be the execution target and is set to be controlled. The ROM after restart is also determined based on the same setting contents as above.

Therefore, by simply switching to the ROM in which the latest reprogramming information is written, it is possible to quickly shift to the execution of assist control by the latest reprogramming information while the control operation by the CPU is continued.

As described above, according to the second embodiment, the control program is performed by replacing the entire ROM in which the control program to be controlled is stored, selecting the ROM in which the latest reprogramming information is stored, and performing the control operation. The newly updated reprogramming information can be stored in the other ROM even while the above is being executed. Then, by selecting the other ROM and performing control based on the reprogramming information stored in the ROM, it is possible to always continue the assist control based on the latest reprogramming information.

Therefore, in the second embodiment, since the two memories are held by the same control unit, it is not necessary to rewrite the newly received control program to another memory, and the reprogramming information is written. By simply switching to the memory, for example, when the same conditions as the specified conditions in the first embodiment are satisfied, it is possible to quickly shift to the execution of the assist control by the latest reprogramming information after the update.

In the second embodiment, when the reprogramming based on the reprogramming information fails, the control program before the update by the reprogramming may be shifted to the assist control to be executed. By doing so, even if the update to the latest control program fails, the pre-update control program stored in ROM1 or ROM2 can be executed, and the assist control by the old program can be easily restored. Is possible.

Further, the configuration may be such that the success / failure status of reprogramming can be notified to the outside of the electric power steering device. As a result, when the reprogramming fails, the reprogramming information can be requested to be downloaded again by notifying the gateway GW 13 or the OTA center 30 to that effect.

By providing the electric power steering system with the electric power steering control device according to the first or second embodiment described above, the updated control program can be used even while the control program is being executed by the electric power steering control device. Since certain reprogramming information is accumulated, reprogramming becomes possible without interrupting the assist control even during the control operation. Then, steering assist can be continued with the latest control program information (reprogramming information) after the update.

[Third Embodiment]
The electric power steering control device according to the third embodiment of the present invention will be described. Since the overall configuration of the vehicle management system that manages the vehicle system including the electric power steering control device according to the third embodiment is the same as the vehicle management system shown in FIG. 1, the illustration and description thereof will be omitted. ..

FIG. 6 shows the configuration of the motor control device (EPS control device) of the electric power steering control device according to the present embodiment. In FIG. 6, the same components as those of the motor control device shown in FIG. 2 are designated by the same reference numerals, and the description thereof will be omitted.

FIG. 7 is a flowchart showing a reprogramming process procedure in the motor control device of the electric power steering control device according to the present embodiment. Here, as a reprogramming process, FOTA (Firmware Over-The-Air) is performed to update the firmware of the electronic control unit ECU mounted on the vehicle by wireless communication.

The control unit (CPU) 21 of the motor control device (ECU) 37a shown in FIG. 6 determines whether or not the repro request command (rewrite start request command) has been received by the in-vehicle network (CAN17) in step S41 of FIG. to decide. When there is a repro request, in step S43, the reprogramming information (repro data) transmitted from the OTA center 30 is received and stored in the external memory 51.

As a result, the reprogramming information transmitted from the OTA center 30 and downloaded by the gateway GW 13 (for example, security patches, updates, and other modifications that are correction programs for security holes) is sent to the motor control device 37a that is the target ECU. Can be installed on.

In step S45, the CPU 21 confirms the validity of the accumulated repro data and determines the success or failure of the repro. Here, for example, the validity of the repro data is monitored by the error detection value signal (CRC signal), the presence or absence of a data abnormality due to the checksum in the repro data, or whether the communication with the OTA center is normal or not. Judge success or failure.

When the CPU 21 determines that the reprogramming has failed, such as when the repro data is not normal, the CPU 21 stores in the non-volatile memory such as the ROM 41 that the repro has failed in step S47. Similarly, when the repro is successful, the fact that the repro was successful is stored in the non-volatile memory (step S49). As a result, the success / failure status of the repro is recorded in the memory.

If the repro is successful, the CPU 21 determines in step S51 whether or not the IG-SW (ignition switch) 58 is OFF from the information from the IG voltage detection unit 45. If it is IG-OFF, it is assumed that the vehicle 10 is stopped and in a safe situation, and in step S53, the control program written in the control area of the ROM 41 is reprogrammed with the repro data accumulated in the above step S43. I do.

On the other hand, if the repro fails, the CPU 21 determines in step S59 whether or not rewriting (retry) by the repro data is possible. If the retry is possible, the process is returned to step S43, and the reprogramming information (repro data) is received again.

When it is determined that the retry cannot be performed, in step S61, a process of returning the control program to the old program before the failure of the repro is performed by rollback at the determination of the CPU 21 of the motor control device 37a which is the target ECU.

After confirming that the IG-SW58 is in the ON state in step S55, the CPU 21 transfers the success / failure state of the repro recorded in the non-volatile memory as described above to the outside (here, the gateway GW13 functioning as the OTA master). Notify (step S57). Then, the gateway GW 13 notifies the OTA center 30 of the success / failure status of the repro in step S63.

The motor control device 37a according to the present embodiment can continue the operation of the CPU 21 even after the IG-SW58 is turned off. Therefore, as shown in FIG. 6, the ignition signal of the IG-SW58 and the self-holding signal from the CPU 21 The power generation unit 28 that generates the power supply of the CPU 21 by the logical sum with 35 is provided. Further, even if the CPU 21 is reset, a capacitor C for holding the self-holding signal 35 to the power generation unit 28 for a specified time is provided.

Here, the specified time is at least the time from resetting the CPU 21 to switch software while the ignition signal is OFF until the CPU 21 restarts and the CPU 21 outputs the self-holding signal 35.

The power generation unit 28 converts the battery voltage + B supplied from the battery BT into a logic level voltage + 5V required for the operation of the control circuit of the CPU 21 or the like and supplies it to the CPU 21 or the like.

In this way, when the CPU is reset after switching the software while the ignition signal is OFF, the power supply to the CPU is continued by configuring the self-holding signal from the CPU to continue in terms of hardware. , The CPU restarts, and the self-holding signal is output again to continue the operation.

As a result, even if the SW reset is performed after the repro while the ignition signal is in the OFF state, the self-holding port output does not turn OFF, the CPU can be restarted, and the success / failure status of the repro can be notified to the outside. The OTA sequence in can be continued.

As described above, the electric power steering control device according to the third embodiment can reliably notify the outside by recording the success or failure of FOTA as a repro success / failure state. As a result, when FOTA fails, it is possible to urge the outside to implement FOTA again.

Therefore, even if a cyber security vulnerability is found in a control program or the like and a security defect called a security hole is found, it can be dealt with promptly, and the user can always use the latest function by the latest control program.

Furthermore, if the security patch that solves the problem cannot be installed by updating the control program due to the failure of FOTA, for example, by displaying it on the car navigation display and making the user aware of it, the user can use the vehicle. Can be safely brought to maintenance shops, dealers, etc.

If the reprogramming fails, for example, the control command values such as the advanced driver assistance system (ADAS) and steerability may be set to less than 100%, and the assist may be continued by the degenerate motor drive. As a result, the minimum assist function for moving the vehicle to a dealer or the like can be continued while limiting the vulnerable functions such as the function of communicating with and controlling an external ECU such as the ADAS system. ..

Recording the success / failure status of the repro in the non-volatile memory is not limited to the above-mentioned example. For example, if the process from receiving reprogramming information from the outside to rewriting the program information in the control area with the reprogramming information is composed of multiple phases, reprogramming is performed at the transition timing to each processing phase. The success / failure status of the above may be recorded in the OTA center, the gateway GW, or the target ECU.

By doing so, for example, the stage where the download of the reprogramming information is completed (Phase 1), the stage where the installation of the reprogramming information is completed (Phase 2), and the stage where the rewriting by the reprogramming information is completed (Phase 3). Etc., it becomes possible to grasp the progress state of OTA in each of a plurality of processing phases.

Further, when the electric power steering control device enters the operation stop state and returns from that state, the OTA processing is restarted from the processing phase corresponding to the operation stop state recorded in the memory among the above-mentioned plurality of processing phases. May be good.

As a result, it becomes clear at which stage (phase) of the OTA processing the repro failed, and it is possible to easily and surely deal with the repro. That is, since the processing can be restarted from the processing phase corresponding to the operation stop among the recorded processing phases, for example, the electric power steering control device is put into the operation stop state (system stop) due to a sudden battery drop (battery cutoff). In some cases, the OTA process can be completed in a shorter time and more efficiently than when the process is restarted from the beginning.

Further, when the processing cannot be restarted from the stopped operation state, the transmission source of the reprogramming information such as the OTA center can easily determine the failure of the OTA by notifying the outside of the inability to restart the process.

[Fourth Embodiment]
The electric power steering control device according to the fourth embodiment of the present invention will be described. Also in the fourth embodiment, the overall configuration of the vehicle management system that manages the vehicle system including the electric power steering control device is the same as the vehicle management system shown in FIG. 1, and the electronic control unit in the electric power steering control device. Since the motor control device (ECU) as the ECU is also the same as the motor control device shown in FIG. 2, the illustration and description thereof will be omitted.

The electric power steering control device according to the fourth embodiment has an encryption unit that encrypts the reprogramming information when the reprogramming information transmitted from the OTA center 30 and downloaded by the gateway GW 13 is stored in the external memory 51. , A decryption unit that decrypts the encrypted reprogramming information when reading the reprogramming information from the ROM 41 in order to rewrite the control program stored in the ROM 41 with the reprogramming information is provided.

Here, an encryption unit and a decryption unit (not shown) are provided in the CPU 21 to perform predetermined encryption processing and decryption processing. Examples of the encryption / decryption method to be used include an AES (Advanced Encryption Standard) method, a DES (Data Encryption Standard) method, and an RSA method. Further, when the CPU 21 has an encryption / decryption function, they may be used, or the reprogramming information may be encrypted and decrypted by using the eigenvalues of the electric motor used in the electric power steering control device. Good.

As for the encryption of the reprogramming information, a method of encrypting the entire reprogramming information at once, or a method of dividing the reprogramming information into a plurality of parts (blocks) and encrypting each block can be considered.

When encrypting each block, for example, a predetermined code (repro code) may be attached to the beginning and end of each block, and the reprogramming information may be encrypted in block units sandwiched between the codes. When encrypting by this method, after erasing the start code indicating the beginning of the block, the writing of the encrypted information is proceeded in the memory, and when the information of the entire block is encrypted, the block is blocked. Erase the exit code that marks the end of.

Therefore, if neither the start code nor the end code is erased, or if only one code is erased and the other code remains, the information of the block sandwiched between those codes is encrypted. Can be determined that is not finished (encryption failed).

By encrypting and duplicating the reprogramming information stored in the external memory in this way, it is possible to maintain the confidentiality of the reprogramming information, prevent unauthorized decryption and falsification, and improve the security of the reprogramming information.

In addition, by dividing the reprogramming information into blocks and encrypting and duplicating each block, when rewriting with the reprogramming information, the reprogramming information is temporarily stored according to the RAM capacity of the CPU. It can be encrypted and compounded in units of data, and the pressure on the memory that stores the control program information to be executed can be suppressed.

In each of the above-described embodiments, the ROM 41 may be a non-volatile memory (for example, NVRAM (Non-Volatile RAM)), and has a code flash area in which the control program is stored and a data flash area in which the control data is stored. It may be composed of and.

The present invention is not limited to the above embodiment, and various modifications are possible. For example, a means for monitoring the ambient temperature of the memory for storing the reprogramming information may be provided so that the reprogramming information is not rewritten when the ambient temperature exceeds the guaranteed operating temperature of the memory.

In this way, it monitors whether the memory in which the reprogramming information is stored is within the assumed temperature range (guaranteed operating temperature), and based on the monitoring result, the reliability of the reprogramming information stored in the memory. Can be secured. Therefore, assist control based on normal repro information and improvement of reliability can be ensured.

1 Vehicle management system 5 Vehicle system 7a, 37a, 77a Motor control device (ECU)
10 Vehicle 11 Communication Control Unit (TCU)
13 Gateway (GW)
15 Electric motor 17H, 17L CAN signal line 20 Communication network (NW)
21,71 Control unit (CPU)
23 Inverter control unit 24 Inverter circuit 25 Data bus 26 Filter 27 Power supply relay 28 Power supply generation unit 30 OTA center 31 Communication unit 32 Compression unit 33 Difference generation unit 35 Self-holding signal 41,81,83 ROM
43 RAM
45 IG voltage detector 47 CANI / F
51 External memory 55 Rotation sensor 57 Torque sensor 58 Ignition switch (IG-SW)
59 Vehicle speed sensor 60 Electric power steering system 62 Steering handle 63 Rotating shaft 64 Reduction gear 66 Pinion gear 67 Rack shaft BT Battery C capacitor

Claims (23)

An electric power steering control device that drives an electric motor to assist and control the steering wheel operation of a driver of a vehicle or the like.
A control unit that executes the assist control and
A first storage unit that stores control program information to be executed by the control unit, and
A second storage unit that stores reprogramming information sent from the outside,
With
The reprogramming information is stored in the second storage unit even while the control unit is executing the control program information, and the control unit is stored in the second storage unit after a predetermined condition is satisfied. Electric power steering that reads programming information, performs a rewriting step of rewriting the control program information of the first storage unit with the reprogramming information, and performs assist control for executing the reprogramming information rewritten by the rewriting step. Control device. The electric power steering control device according to claim 1, wherein the predetermined condition includes when the vehicle or the like is stopped or when the assist control is stopped. The electric power steering control device according to claim 1, wherein the rewriting process is started after receiving the rewriting start request command from the in-vehicle network of the vehicle or the like. The electric power steering control device according to claim 1, wherein the rewriting step includes a partial rewriting step of the first control program. A means for storing the reprogramming information in the second storage unit and saving the control program information in advance,
A means of confirming the validity of the reprogramming information,
With more
Claim 1 in which the information in the first storage unit is overwritten by the control program information saved in the second storage unit when the validity cannot be confirmed or the reprogramming by the reprogramming information fails. The electric power steering control device described in. A third storage unit that stores the control program information in advance, and
A means of confirming the validity of the reprogramming information,
With more
Claim 1 in which the information in the first storage unit is overwritten by the control program information saved in the third storage unit when the validity cannot be confirmed or the reprogramming by the reprogramming information fails. The electric power steering control device described in. Further provided with means for monitoring the ambient temperature of at least the second storage unit,
The electric power steering control device according to any one of claims 1 to 6, wherein the rewriting step based on the reprogramming information is not performed when the ambient temperature exceeds the guaranteed operation temperature of the second storage unit. The first storage unit is a memory built in the control unit, and the second storage unit is an external memory provided outside the control unit, according to any one of claims 1 to 5. Electric power steering control device. The sixth aspect of claim 6, wherein the first storage unit is a memory built in the control unit, and the second storage unit and the third storage unit are external memories provided outside the control unit. Electric power steering control device. Both the first storage unit and the second storage unit are built in the control unit and can store control program information to be executed by the control unit.
The control unit executes assist control with the control program information last updated by the reprogramming information among the control program information stored in the first storage unit and the second storage unit as an execution target. The electric power steering device according to claim 1. The electric power steering control device according to claim 10, wherein when the reprogramming based on the reprogramming information fails, the control unit shifts to the assist control in which the control program information before the update by the reprogramming is executed. An electric power steering control device that drives an electric motor to assist and control the steering wheel operation of a driver of a vehicle or the like.
A control unit that executes the assist control and
A fourth storage unit that stores control program information to be executed by the control unit, and
A fifth storage unit that stores reprogramming information sent from the outside,
With
The reprogramming information is stored in the fifth storage unit even while the control unit is executing the control program information, and the control unit is stored in the fifth storage unit after a predetermined condition is satisfied. An electric power steering control device that performs assist control for executing programming information. The electric power steering device according to claim 1 or 12, further comprising a notification means for notifying the outside of the electric power steering device of the success / failure status of reprogramming based on the reprogramming information. A first storage unit that stores the success / failure status of the reprogramming,
A means for determining the ON / OFF state of the ignition signal based on the ignition voltage value supplied via the ignition switch of the vehicle or the like, and
With more
The electric power steering device according to claim 13, wherein the notification means notifies the outside of the success / failure state stored in the first storage unit when the ignition signal is turned on. A power generation unit that generates an operating power source for the control unit based on an ignition signal based on an ignition voltage value supplied via an ignition switch of the vehicle or the like and a self-holding signal from the control unit.
An input continuation means for continuing the input of the self-holding signal to the power generation unit for a predetermined time, and
13. The electric power steering device according to claim 13. The predetermined time is the time from resetting the control unit when the ignition signal is in the OFF state to at least the time from when the restarted control unit outputs the self-holding signal, according to claim 15. Electric power steering device. When the success / failure state of the reprogramming is a state in which the reprogramming has failed, one or a plurality of control command values related to the driving support function of the vehicle or the like are set to control command values corresponding to a predetermined degeneracy control. Or the electric power steering device according to 12. The reprogramming information is encrypted by a predetermined encryption method when stored in the external memory or the fifth storage unit, and is encrypted by a predetermined decryption method when read from the external memory or the fifth storage unit. The electric power steering control device according to claim 9 or 12, which is decoded by. The electric power steering device according to claim 18, wherein the reprogramming information is divided into blocks to perform the encryption and the duplication. The process from receiving the reprogramming information from the outside to rewriting the control program information with the reprogramming information is composed of a plurality of processing phases, and the success or failure of the reprogramming is performed at the transition timing to each of the processing phases. The electric power steering apparatus according to claim 1 or 12, further comprising a second storage unit for recording a state. When the electric power steering control device returns from the operation stop state, a predetermined process is restarted from the process phase corresponding to the operation stop state recorded in the second storage unit among the plurality of process phases. The electric power steering device according to claim 20. The electric power steering device according to claim 21, wherein when the restart is impossible, the restart is notified to the outside. An electric power steering system including the electric power steering control device according to any one of claims 1 to 22.

Images